Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-26058
6.1 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): LOCAL
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): REQUIRED
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): LOW
- Availability impact (A): NONE
Zulip: Path Traversal in Import
Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, ./manage.py import reads arbitrary files from the server filesystem via path traversal in uploads/records.json. A crafted export tarball causes the server to copy any file the zulip user can read into the uploads directory during import. This issue has been patched in version 11.6.
References
-
https://github.com/zulip/zulip/security/advisories/GHSA-xm5c-c6mp-3956 x_refsource_CONFIRM
Affected products
zulip
- ==>= 1.4.0, < 11.6
Matching in nixpkgs
pkgs.zulip
Desktop client for Zulip Chat
pkgs.zulip-term
Zulip's official terminal client
-
nixos-unstable 0.7.0-unstable-2026-02-10
- nixpkgs-unstable 0.7.0-unstable-2026-02-10
- nixos-unstable-small 0.7.0-unstable-2026-02-10
-
nixos-25.11 0.7.0-unstable-2025-05-19
- nixos-25.11-small 0.7.0-unstable-2025-05-19
- nixpkgs-25.11-darwin 0.7.0-unstable-2025-05-19
pkgs.matrix-zulip-bridge
Matrix puppeting appservice bridge for Zulip
pkgs.python312Packages.zulip
Bindings for the Zulip message API
pkgs.python313Packages.zulip
Bindings for the Zulip message API
pkgs.python314Packages.zulip
Bindings for the Zulip message API
pkgs.python312Packages.zulip-emoji-mapping
Get emojis by Zulip names
pkgs.python313Packages.zulip-emoji-mapping
Get emojis by Zulip names
pkgs.python314Packages.zulip-emoji-mapping
Get emojis by Zulip names
Package maintainers
-
@judgeNotFound Robert Richter <robert.richter@rrcomtech.com>
-
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>
-
@andersk Anders Kaseorg <andersk@mit.edu>